openvpn loadblance setting / 負載平衡及高可用相互備援機制

前些日子因為Storage Cluster 在failover 資源切換的過程中失敗。而使得有部份虛擬主機無法正常運作,其中就包含openvpn主機。當nagios發現異常並通知錯誤發生了,卻無法連線回公司處理異常狀況。

因為openvpn掛點後,就無法連線進入公司內進行修復的工作。先前僅有一台openvpn在虛擬平台上運作,目前為了安全起見已將openvpn伺服器的數量多增加一台於實體主機上,好讓openvpn可以提供高可用度的服務。

如何設定openvpn的loadblance

設定方法很簡單,分成兩個步驟。1. Clietn端設定、2. Server端設定

1. Client端設定:要指定openvpn servers供選擇並開啟loadblacing設定,來達到loadblance的連線。

2. Server端設定:最簡單的作法就是從原來openvpn上copy其設定檔和所需要的加密驗證金鑰到其它新增的openvpn server上。然後只要將它們啟動,就大工告成了。

P.S:由於公司對外IP組數有限,所以在firewall設定使用同一對外IP並將不同port的openvpn服務forward到不同的openvpn server。

參考官方手冊

HOWTO的Implementing a load-balancing/failover configuration

Implementing a load-balancing/failover configuration

Client

The OpenVPN client configuration can refer to multiple servers for load balancing and failover. For example:

remote server1.mydomain
remote server2.mydomain
remote server3.mydomain
will direct the OpenVPN client to attempt a connection with server1, server2, and server3 in that order. If an existing connection is broken, the OpenVPN client will retry the most recently connected server, and if that fails, will move on to the next server in the list. You can also direct the OpenVPN client to randomize its server list on startup, so that the client load will be probabilistically spread across the server pool.

remote-random
If you would also like DNS resolution failures to cause the OpenVPN client to move to the next server in the list, add the following:

resolv-retry 60
The 60 parameter tells the OpenVPN client to try resolving each remote DNS name for 60 seconds before moving on to the next server in the list.

The server list can also refer to multiple OpenVPN server daemons running on the same machine, each listening for connections on a different port, for example:

remote smp-server1.mydomain 8000
remote smp-server1.mydomain 8001
remote smp-server2.mydomain 8000
remote smp-server2.mydomain 8001
If your servers are multi-processor machines, running multiple OpenVPN daemons on each server can be advantageous from a performance standpoint.

OpenVPN also supports the remote directive referring to a DNS name which has multiple A records in the zone configuration for the domain. In this case, the OpenVPN client will randomly choose one of the A records every time the domain is resolved.

Server

The simplest approach to a load-balanced/failover configuration on the server is to use equivalent configuration files on each server in the cluster, except use a different virtual IP address pool for each server. For example:

server1

server 10.8.0.0 255.255.255.0

server2

server 10.8.1.0 255.255.255.0

server3

server 10.8.2.0 255.255.255.0

發表迴響

在下方填入你的資料或按右方圖示以社群網站登入:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 變更 )

Twitter picture

You are commenting using your Twitter account. Log Out / 變更 )

Facebook照片

You are commenting using your Facebook account. Log Out / 變更 )

Google+ photo

You are commenting using your Google+ account. Log Out / 變更 )

連結到 %s